Browsermob proxy sends Proxy-Authorization header after authorization on chained proxy - how to stop it?

[s-belichenko]

I start my BMP with options like this:

'httpProxy'       => 'proxy.com',
'proxyUsername'   => 'user',
'proxyPassword'   => 'password',
'trustAllServers' => true,

and this works fine. After that I recieve proxy port from BMP and use it in my browser (system settings, no matter). After that I try navigate to http. Ok, my headers is fine. But after that I try navigate to https and my headers is not fine, because I see PROXY_AUTHORIZATION string with my real proxy username and password in base64 encoding.

Question: what could be the problem and how to fix it? At the moment, the BMP sends Proxy-Authorization header even when it is already authorized. And this happens only when we use https.

[ericbeland]

Hi @s-belichenko There is a bug in the current BrowserMob proxy that sends the header on non-connect responses. My company has an actively maintained fork of the proxy where we've merged a change that should take care of this credentials leak. Our fork is renamed the "browserup proxy" but it should be a drop in replacement. https://github.com/browserup/browserup-proxy

[s-belichenko]

Thank you, we will definitely consider your project as an option!